Accounts Payable Security Report: August 2022

Scammers Arrested for SMS Attacks

Hybrid work is now a permanent feature of employment for millions of Australians. However, hybrid work also opens up a range of security risks, with many staff using a range of computer devices on a daily basis.

Finance and accounting managers need to be aware that their teams may be using personal smart phones or tablets for a range of work-related functions. This may include processing outgoing payments through your organisation’s online banking portals.

Sophisticated scammers routinely engage in SMS scams, sending malicious links via text message or online messaging apps. Once a recipient clicks on a dangerous link, hackers can access the usernames and passwords employees use on a range of work-related apps.

This week, the Australian Federal Police arrested a 30-year old man in Sydney for engaging in just such SMS scams. It is alleged that the accused used a SIMBOX to send hundreds of thousands of automated text messages containing malicious links to fake websites that replicated Australian banking websites. When the victim entered their online banking username and password into the fake website, this information was relayed back to the criminal. This paved the way for the criminal to then use the login credentials to access the victim’s bank account, before stealing their funds.

A SIMBOX is a piece of hardware in which multiple SIM cards can be inserted. Messages can be rapidly pushed out using all the SIM cards, making it ideal for criminals engaging in SMS scams.

This case is an important reminder that all AP departments need strict controls in place around the devices their staff can use to conduct work. Personal devices should never be used for accessing corporate bank accounts. Ensure staff have ongoing training around the risks associated with SMS scams, and ensure all your online banking portals require a user to go through Multi-Factor Authentication before being able to login.

Criminals Circumventing MFA to Launch BEC Attacks

If you don’t yet have Multi-Factor Authentication (MFA) on all your systems, then you absolutely should prioritise setting it up ASAP. MFA makes it considerably harder for cyber criminals to access your corporate systems and data. Despite this, Microsoft is now warning that sophisticated hackers are finding ways to circumvent MFA.

According to Microsoft: “MFA provides an added security layer against credential theft, and it is expected that more organisations will adopt it, especially in countries and regions where even governments are mandating it. Unfortunately, attackers are also finding new ways to circumvent this security measure.”

Of particular concern is a type of attack called “Adversary-in-the-Middle,” or AiTM.

Typically, when you login to a web application (such as your Outlook email account) for the first time, you need to enter your username and password. However, if you return to the same web application at a future time, cookies in your computer remember your login credentials. The cookies allow you to re-enter the web application without having to re-enter your username and password each time.

Now, attackers are finding ways to access those cookies. This allows them to gain access to your web applications without needing the username and password, because the computer thinks the hacker is a repeat visitor to the web application.

AiTM sees attackers deploy a proxy server between a targeted victim and the web application they wish to visit. This allows the attacker to intercept and steal the victim’s session cookie that proves their ongoing and authenticated session with the web application.

As Microsoft notes, this is not a vulnerability in MFA. Rather, in an AiTM attack, the session cookie is stolen. This gives the attacker authenticated access to a web application on the legitimate user’s behalf, regardless of the sign-in method the latter uses.

Microsoft has identified hackers using stolen session cookies to access victims’ Outlook email accounts and engaging in Business Email Compromise (BEC) attacks. AiTM has been used to target more than 10,000 organisations with BEC attacks since September 2021.

Most concerningly, Microsoft discovered it took just five minutes after an AiTM breach of an Outlook mailbox for a BEC attack to be launched.

So, whilst all organisations should have MFA set up, you cannot assume that MFA alone leaves you fully protected. To stop BEC attacks, you need a multi-layered security approach that includes MFA as well as other systems that give you visibility over all outgoing funds, so you can stop illegitimate funds transfers in real-time.

BCC Is the New BEC

We are all very familiar with Business Email Compromise, or BEC. It sees cyber criminals compromising email accounts to manipulate payment details in emailed invoices. When you pay the invoice, you inadvertently send the money to a bank account controlled by the criminal.

BEC is also used to impersonate executives, such as an organisation’s CEO or CFO. In this attack vector, the criminals use the executive’s email account to send instructions to AP staff to send funds to a bank account controlled by the criminal.

However, as people become more attuned to the risks of email, cyber criminals are shifting gear.

Attackers know that many workers are now making widespread use of other messaging platforms, such as Microsoft Teams, Skype, Slack, and Google Chat. As a result, scammers are now targeting these messaging tools to defraud AP teams. This new type of attack is called “Business Communications Compromise,” or BCC.

Like BEC, a BCC attack aims to deceive AP staff into sending money to the criminal. However, it makes use of many more types of communications channels which AP staff are using. The challenge is that many of these alternate communications channels are ideal for quick communications between colleagues, often conducted on mobile devices. The speed of communications in these channels, and the fact they are often conducted using mobile devices, make AP staff more susceptible to error.

CFOs and AP managers need to ensure that all the internal controls they have in place to safeguard the use of email are also in place when it comes to other communications tools. AP staff should never comply with payment instructions issued via instant messaging platforms without first verifying the legitimacy of the instruction and conducting a call-back.